Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: New Majusaka toolkit used in attacks in Asia

Description: Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. Talos recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.

References: https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html

ClamAV signature: Win.Trojan.Manjusaka-9956281-1


Title: TCL LinkHub Mesh Wi-Fi system contains 17 vulnerabilities

Description: The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. What makes the LInkHub system unique is the lack of a network interface to manage the devices individually or in the mesh. Instead, a phone application is the only method to interact with these devices. However, this setup leaves the LinkHub Mesh Wi-Fi system open to several vulnerabilities, which we are disclosing today. An attacker could exploit these vulnerabilities to carry out a variety of malicious actions, including injecting code at the operating system level, stealing credentials and causing a denial of service of the entire network. During Talos' research into this product, 17 different vulnerability reports were generated. These reports group together similar CVEs into reports that are sent to vendors, and in this case are a grouping of 41 unique CVEs.

References: https://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misusing.html

Snort SIDs: 59013, 59020, 59026 – 59029, 59058, 59059, 59061, 59289 – 59291 and 59406 - 59411

Security News


Security researchers discovered a malicious UEFI-based rootkit that’s been used in the wild since 2016.
https://arstechnica.com/information-technology/2022/07/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls/


The U.S. Department of Justice is investigating a data breach of the federal court system that dates back to 2020.
https://www.politico.com/news/2022/07/28/justice-department-data-breach-federal-court-system-00048485


WhatsApp says it will not weaken its end-to-end encryption at the request of any governments.
https://www.bbc.com/news/technology-62291328


The U.S. House Intelligence Committee passed a bill that includes a provision authorizing the Director of National Intelligence to prohibit the U.S. intelligence community from buying and using foreign spyware.
https://thehill.com/policy/cybersecurity/3580301-congress-takes-aggressive-stance-against-foreign-spyware/


The website of Taiwan's presidential office was targeted with several cyber attacks Tuesday preceding U.S. House Speaker Nancy Pelosi’s visit to the nation.
https://www.reuters.com/technology/website-taiwans-presidential-office-receives-overseas-cyber-attack-source-2022-08-02/


A recent cyberattack against student-tracking software highlighted how many public school students’ information is at risk.
https://www.nytimes.com/2022/07/31/business/student-privacy-illuminate-hack.html


The U.S. Cybersecurity and Infrastructure Security Agency has added the hardcoded credential vulnerability in Atlassian Confluence to its Known Exploited Vulnerabilities Catalog.
https://thehackernews.com/2022/07/cisa-warns-of-atlassian-confluence-hard.html


Researchers have found a way to use a single-core PC to break one of the post-quantum computing encryption algorithms chosen by NIST as candidates to replace current algorithms.
https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-20229

Title: Out of bound write vulnerability in Google Android 10.0/11.0/12.0

Description: In bta_hf_client_handle_cind_list_item of bta_hf_client_at.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224536184

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-20238

Title: Memory corruption vulnerability in Google Android kernel

Description: remap_pfn_range here may map out of size kernel memory (for example, may map the kernel area), and because the vma->vm_page_prot can also be controlled by userspace, so userspace may map the kernel area to be writable, which is easy to be exploited.

Product: AndroidVersions: Android SoCAndroid ID: A-233154555

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121

MD5: 9066dff68c1d66a6d5f9f2904359876c

VirusTotal: https://www.virustotal.com/gui/file/f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121/details

Typical Filename: dota-15_id3622928ids1s.exe

Claimed Product: N/A

Detection Name: W32.F21B040F7C.in12.Talos


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: 168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0

MD5: 311d64e4892f75019ee257b8377c723e

VirusTotal: https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0/details

Typical Filename: ultrasurf-21-32.exe

Claimed Product: N/A

Detection Name: W32.DFC.MalParent